|
| 1 | +--- |
| 2 | +title: File Permissions |
| 3 | +description: Understanding how WSL determines file permissions in Windows |
| 4 | +keywords: BashOnWindows, bash, wsl, wsl2, windows, windows subsystem for linux, windowssubsystem, ubuntu, debian, suse, windows 10, file,permissions |
| 5 | +ms.date: 01/14/2020 |
| 6 | +ms.topic: article |
| 7 | +ms.assetid: 7afaeacf-435a-4e58-bff0-a9f0d75b8a51 |
| 8 | +ms.custom: seodec18 |
| 9 | +--- |
| 10 | + |
| 11 | +# File Permissions for WSL |
| 12 | + |
| 13 | +This page details how Linux file permissions are interpreted across the Windows Subsystem for Linux, especially when accessing resources inside of Windows on the NT file system. This documentation assumes a basic understanding of the [Linux file system permissions structure](https://wiki.archlinux.org/index.php/File_permissions_and_attributes) <!--TODO: Double check that it's okay to add these links--> and the [umask command](https://en.wikipedia.org/wiki/Umask). |
| 14 | + |
| 15 | +When accessing Windows files from WSL the file permissions are either calculated from Windows permissions, or are read from metadata that has been added to the file by WSL. This metadata is not enabled by default. |
| 16 | + |
| 17 | +## WSL metadata on Windows files |
| 18 | + |
| 19 | +When metadata is enabled as a mount option in WSL, extended attributes on Windows NT files can be added and interpreted to supply Linux file system permissions. |
| 20 | + |
| 21 | +WSL can add four NTFS extended attributes: |
| 22 | + |
| 23 | +| Attribute Name | Description | |
| 24 | +| --- | --- | |
| 25 | +| $LXUID | User Owner ID | |
| 26 | +| $LXGID | Group Owner ID | |
| 27 | +| $LXMOD | File mode (File systems permission octals and type, e.g: 0777) | |
| 28 | +| $LXDEV | Device, if it is a device file | |
| 29 | + |
| 30 | +Additionally, any file that is not a regular file or directory (e.g: symlinks, FIFOs, block devices, unix sockets, and character devices) also have an NTFS [reparse point](https://docs.microsoft.com/en-us/windows/win32/fileio/reparse-points). This makes it much faster to determine the kind of file in a given directory without having to query its extended attributes. |
| 31 | +<!-- TODO: For the blog include ONeDrive detail --> |
| 32 | + |
| 33 | +## File Access Scenarios |
| 34 | + |
| 35 | +Below is a description of how permissions are determined when accessing files in different ways using the Windows Subsystem for Linux. |
| 36 | + |
| 37 | +### Accessing Files in the Windows drive file system (DrvFS) from Linux |
| 38 | + |
| 39 | +These scenarios occur when you are accessing your Windows files from WSL, most likely via `/mnt/c`. |
| 40 | + |
| 41 | +#### Reading file permissions from an existing Windows file |
| 42 | + |
| 43 | +The result depends on if the file already has existing metadata. |
| 44 | + |
| 45 | +##### **The file does not have metadata (default)** |
| 46 | + |
| 47 | +If the file has no metadata associated with it then we translate the effective permissions of the Windows user to read/write/execute bits and set them to the this as the same value for user, group, and other. For example, if your Windows user account has read and execute access but not write access to the file then this will be shown as `r-x` for user, group and other. If the file has the 'Read Only' attribute set in Windows then we do not grant write access in Linux. |
| 48 | + |
| 49 | +##### The file has metadata |
| 50 | + |
| 51 | +If the file has metadata present, we simply use those metadata values instead of translating effective permissions of the Windows user. |
| 52 | + |
| 53 | +#### Changing file permissions on an existing Windows file using chmod |
| 54 | + |
| 55 | +The result depends on if the file already has existing metadata. |
| 56 | + |
| 57 | +##### **The file does not have metadata (default)** |
| 58 | + |
| 59 | +Chmod will only have one effect, if you remove all the write attributes of a file then the 'read only' attribute on the Windows file will be set, since this is the same behaviour as CIFS (Common Internet File System) which is the SMB (Server Message Block) client in Linux. |
| 60 | + |
| 61 | +##### The file has metadata |
| 62 | + |
| 63 | +Chmod will change or add metadata depending on the file's already existing metadata. |
| 64 | + |
| 65 | +Please keep in mind that you cannot give yourself more access than what you have on Windows, even if the metadata says that is the case. For example, you could set the metadata to display that you have write permissions to a file using `chmod 777`, but if you tried to access that file you would still not be able to write to it. This is thanks to interopability, as any read or write commands to Windows files are routed through your Windows user permissions. |
| 66 | + |
| 67 | +#### Creating a file in DriveFS |
| 68 | + |
| 69 | +The result depends on if metadata is enabled. |
| 70 | + |
| 71 | +##### Metadata is not enabled (default) |
| 72 | + |
| 73 | +The Windows permissions of the newly created file will be the same as if you created the file in Windows without a specific security descriptor, it will inherit the parent's permissions. |
| 74 | + |
| 75 | +##### Metadata is enabled |
| 76 | + |
| 77 | +The file's permission bits are set to follow the Linux umask, and the file will be saved with metadata. |
| 78 | + |
| 79 | +#### Which Linux user and Linux group owns the file? |
| 80 | + |
| 81 | +The result depends on if the file already has existing metadata. |
| 82 | + |
| 83 | +##### **The file does not have metadata (default)** |
| 84 | +In the default scenario, when automounting Windows drives, we specify that the user ID (UID) for any file is set to the user ID of your WSL user and the group ID (GID) is set to the principal group ID of your WSL user. |
| 85 | + |
| 86 | +##### The file has metadata |
| 87 | + |
| 88 | +The UID and GID specified in the metadata is applied as the user owner and group owner of the file. |
| 89 | + |
| 90 | +### Accessing Linux files from Windows using `\\wsl$` |
| 91 | + |
| 92 | +Accessing Linux files via `\\wsl$` will use the default user of your WSL distro. Therefore any Windows app accessing Linux files will have the same permissions as the default user. |
| 93 | + |
| 94 | +#### Creating a new file |
| 95 | + |
| 96 | +The default umask is applied when creating a new file inside of a WSL distro from Windows. The default umask is `022`, or in other words it allows all permissions except write permissions to groups and others. |
| 97 | + |
| 98 | +### Accessing files in the Linux root file system from Linux |
| 99 | + |
| 100 | +Any files created, modified, or accessed in the Linux root file system follow standard Linux conventions, such as applying the umask to a newly created file. |
| 101 | + |
| 102 | +## Configuring file permissions |
| 103 | + |
| 104 | +You can configure your file permissions inside of your Windows drives using the mount options in wsl.conf. The mount options allow you to set `umask`, `dmask` and `fmask` permissions masks. The `umask` is applied to all files, the `dmask` is applied just to directories and the `fmask` is applied just to files. These permission masks are then put through a logical OR operation when being applied to files, e.g: If you have a `umask` value of `023` and an `fmask` value of `022` then the resulting permissions mask for files will be `023`. |
| 105 | + |
| 106 | +Please see the ['Manage Linux Distributions'](./wsl-config.md) document page for instructions on how to do this. |
| 107 | +<!-- TODO: Add # to the link--> |
| 108 | + |
0 commit comments